Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: Software security and international relations collide as a Russian company falsely brands itself as a U.S. software supplier and makes its way into U.S. Army and CDC apps. Also: A Canadian supermarket chain has been hit with a ransomware attack.
This Week’s Top Story
Russian-made software disguised as American used in U.S. Army, CDC applications
This week, software supply chain security intersects with international relations. Reuters reports that computer code found in thousands of smartphone applications, developed by technology company Pushwoosh, has been falsely branded as being based in the U.S.. Reuters believes that the code is actually Russian, and U.S. government entities fell victim to using the code in their apps, believing that the code was made by an American technology company.
One of the entities is the Center for Disease Control (CDC), which is the U.S. agency for fighting major health threats, with COVID-19 being a major example. The CDC claims that it was deceived into believing that Pushwoosh was based in the Washington D.C. area. Once Reuters contacted the CDC to share that Pushwoosh has Russian roots, the agency removed the software from seven public-facing applications.
The U.S. Army was the additional entity that fell prey to using the misleading Pushwoosh software. It had removed an app containing the code back in March 2022, due to security concerns. The app that contained the Pushwoosh code was used by soldiers at a main U.S. combat training base.
Reuters was able to find company documents publicly filed in Russia, which show that Pushwoosh is headquartered in Siberia, and is registered with the Russian government and pays taxes to Russia. Reuters also found several instances in which the company presented itself as being American via social media and U.S. regulatory filings.
Reuters found no evidence of Pushwoosh mishandling user data. However, Russian authorities have compelled local companies to disclose user data to domestic security agencies.
Additionally, as a result of Pushwoosh doing business with the U.S. government and several private companies, the company could be in violation of the U.S. Federal Trade Commission’s (FTC) laws, and it could trigger sanctions. The FTC, U.S. Treasury, and the Federal Bureau of Investigation (FBI) declined Reuters’s request for comment, so the legal details of this story are likely to develop in the future.
News Roundup
Here are the stories we’re paying attention to this week…
New Cybersecurity Advisory on Iranian government-sponsored APT actors compromising a federal network (CISA)
CISA and the FBI published a joint Cybersecurity Advisory (CSA), Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester. The CSA provides information on an incident at a Federal Civilian Executive Branch (FCEB) organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in unpatched VMware Horizon server.
Is your board prepared for new cybersecurity regulations? (Harvard Business Review)
Boards are now paying attention to the need to participate in cybersecurity oversight. Not only are the consequences sparking concern, but the new regulations are upping the ante and changing the game.
Windows Kerberos authentication breaks after November updates (Bleeping Computer)
Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos sign-in failures and other authentication problems after installing cumulative updates released during this month's Patch Tuesday.
Over 15,000 WordPress sites compromised in malicious SEO campaign (The Hacker News)
A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals.
New York-barred attorneys required to complete cybersecurity, privacy, and data protection training (CSO)
New York-barred attorneys will be required to complete one continuing legal education (CLE) credit hour of cybersecurity, privacy, and data protection training as part of their biennial learning requirement beginning July 1, 2023.
Canadian supermarket chain hit by ransomware attack (Security Week)
Canadian supermarket and pharmacy chain Sobeys is recovering from a cyberattack that might have involved the Black Basta ransomware.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.